And deploying code which let anyone using any login and password (and by any I mean really any combination, even asdf/asdf worked) authenticate. And have access to the administration panel. No fun. At least at first, when I shook my head with disbelief over the deployed code. How could I not check it… How could I not write even the simplest unit test… Quick fix and few minutes later the site was fixed. After that I’ve simply burst in laughter over my stupidity.
Thankfully hardly anyone ever tries to login to this particular site (login page has both no-index
and no-follow
so it does not attract google scripters) so despite the fact that this bug has been live for a little over 12 hours no one broke in.